diff --git a/api/client/trust.go b/api/client/trust.go index 35841ecd83..32cfabee6f 100644 --- a/api/client/trust.go +++ b/api/client/trust.go @@ -339,6 +339,7 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr if err != nil { return notaryError(repoInfo.FullName(), err) } + logrus.Debugf("retrieving target for %s role\n", t.Role) r, err := convertTarget(t.Target) if err != nil { return err @@ -510,7 +511,6 @@ func (cli *DockerCli) addTargetToAllSignableRoles(repo *client.NotaryRepository, // Also don't bother checking the keys if we can't add the target // to this role due to path restrictions if path.Dir(delegationRole.Name) != data.CanonicalTargetsRole || !delegationRole.CheckPaths(target.Name) { - fmt.Println("skipping", delegationRole.Name) continue } diff --git a/integration-cli/check_test.go b/integration-cli/check_test.go index 6ce801bc1b..aab8e4a786 100644 --- a/integration-cli/check_test.go +++ b/integration-cli/check_test.go @@ -2,8 +2,11 @@ package main import ( "fmt" + "os" + "path/filepath" "testing" + "github.com/docker/docker/cliconfig" "github.com/docker/docker/pkg/reexec" "github.com/go-check/check" ) @@ -206,5 +209,8 @@ func (s *DockerTrustSuite) TearDownTest(c *check.C) { if s.not != nil { s.not.Close() } + + // Remove trusted keys and metadata after test + os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust")) s.ds.TearDownTest(c) } diff --git a/integration-cli/docker_cli_pull_trusted_test.go b/integration-cli/docker_cli_pull_trusted_test.go index fdaaaa1a82..34261ff432 100644 --- a/integration-cli/docker_cli_pull_trusted_test.go +++ b/integration-cli/docker_cli_pull_trusted_test.go @@ -254,3 +254,56 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) { _, err = inspectFieldWithError(imageID, "Id") c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted")) } + +func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) { + repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL) + targetName := fmt.Sprintf("%s:latest", repoName) + pwd := "12345678" + + // Push with targets first, initializing the repo + dockerCmd(c, "tag", "busybox", targetName) + pushCmd := exec.Command(dockerBinary, "push", targetName) + s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) + out, _, err := runCommandWithOutput(pushCmd) + c.Assert(err, check.IsNil, check.Commentf(out)) + + // Try pull, check we retrieve from targets role + pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName) + s.trustedCmd(pullCmd) + out, _, err = runCommandWithOutput(pullCmd) + c.Assert(err, check.IsNil, check.Commentf(out)) + c.Assert(out, checker.Contains, "retrieving target for targets role") + + // Now we'll create the releases role, and try pushing and pulling + s.notaryCreateDelegation(c, repoName, pwd, "targets/releases", s.not.keys[0].Public) + s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) + s.notaryPublish(c, repoName, pwd) + + // Push, should sign with targets/releases + dockerCmd(c, "tag", "busybox", targetName) + pushCmd = exec.Command(dockerBinary, "push", targetName) + s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) + out, _, err = runCommandWithOutput(pushCmd) + + // Try pull, check we retrieve from targets/releases role + pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName) + s.trustedCmd(pullCmd) + out, _, err = runCommandWithOutput(pullCmd) + c.Assert(out, checker.Contains, "retrieving target for targets/releases role") + + // Create another delegation that we'll sign with + s.notaryCreateDelegation(c, repoName, pwd, "targets/other", s.not.keys[1].Public) + s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private) + s.notaryPublish(c, repoName, pwd) + + dockerCmd(c, "tag", "busybox", targetName) + pushCmd = exec.Command(dockerBinary, "push", targetName) + s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) + out, _, err = runCommandWithOutput(pushCmd) + + // Try pull, check we retrieve from targets/releases role + pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName) + s.trustedCmd(pullCmd) + out, _, err = runCommandWithOutput(pullCmd) + c.Assert(out, checker.Contains, "retrieving target for targets/releases role") +} diff --git a/integration-cli/docker_cli_push_test.go b/integration-cli/docker_cli_push_test.go index 17a7a31d7e..73ed7fdd88 100644 --- a/integration-cli/docker_cli_push_test.go +++ b/integration-cli/docker_cli_push_test.go @@ -631,7 +631,7 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c pushCmd := exec.Command(dockerBinary, "push", targetName) s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) out, _, err := runCommandWithOutput(pushCmd) - c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeed but should have failed:\n%s", out)) + c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeeded but should have failed:\n%s", out)) c.Assert(out, checker.Contains, "no valid signing keys", check.Commentf("Missing expected output on trusted push without keys")) }